Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 03/03/08 issue

VA gets its rights

Sidebar | How rights management works at Veterans Affairs

By Joab Jackson

1. The first time a Veterans Affairs Department employee needs to protect a Microsoft Office document or Microsoft Outlook e-mail message, the employee’s computer fetches a client certificate from the Rights Management Services (RMS) server (see image below). This one-time step allows the employee to set the rights of the document, such as whether it can be read or modified by others.

2. After creating a file or e-mail message — in Word, Excel, PowerPoint or Outlook — the employee can define a set of usage rights and conditions for that file. The application generates a publishing license that contains the usage policies.

3. The application encrypts the file with a private key that is then encrypted to the public key of the Windows RMS server. Only the author’s Windows RMS server can issue licenses to decrypt this file.

4. The employee distributes the file.

5. A recipient receives a protected file or e-mail message and opens it. If the recipient’s computer does not have an account certificate, the RMS will issue one. A publishing license issued by a client licensor certificate includes the RMS’ URL.

6. The application requests a use license from the RMS server. The request includes the recipient’s account certificate and the publishing license. The Windows RMS licensing server validates that the recipient is authorized, checks that the recipient is a named user and creates a use license. During this process, the server decrypts the symmetric key using the private key of the server, re-encrypts the symmetric key using the public key of the recipient and adds the encrypted session key to the use license. These steps ensure that only the intended recipient can decrypt the symmetric key and thus decrypt the protected file. The server also adds any relevant conditions to the use license, such as the expiration date or an application or operating system exclusion.

7. When the validation is complete, the licensing server returns the use license to the recipient’s client computer.

8. After receiving the use license, the application examines the license and the recipient’s account certificate to determine whether the certificate is valid. If all requirements are met and there are no conditions blocking access to the file, the application renders the data, and the user may exercise the rights that have been granted.
Image:


Previous << 1 2

More news on related topics: IT Security, Content / Record Management, Data Management, IT Management, Software Applications



GCN Popup